[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Second draft of CyberCrime Treaty Statement

I like Dave Mann's last draft.  I support the process Steve outlines
below.  I'm comfortable with Spaf co-ordinating since he's done this
kind of thing well in the past.  But I think it's important that it's
made clear that the letter was a collaborative effort by many CVE board
folks, rather than Spaf's initiative.

I'm not quite sure what a practical process for gathering
signatures/endorsements is.  Presumably that's for the co-ordinator to


"Steven M. Christey" wrote:
> I agree with David LeBlanc and Gene Spafford that we should come up
> with a final draft, then ask people to sign it.  I wasn't clear,
> sorry...
> Here's what I see as a plan of action, with some overlap between the
> different items:
> 1) Participating Board members finish and agree to a statement
> 2) Each participating Board member works with their organization to
>    see if the organization itself can support it
> 3) Participating Board members endorse the agreement, as individuals
>    or as an organization-wide endorsement
> 4) Identify a coordinator for outreach efforts
> 5) Each participating Board member performs their own outreach to
>    their own contacts, and works with the coordinator, who maintains
>    the "master list" of endorsements.
> 6) If any serious, near-unanimous concerns are expressed with the
>    statement, *consider* making modifications.
> Below are some of my editing comments on the draft.  Dave Mann, are
> you coordinating your later drafts with Adam Shostack?  Who is the
> "official holder" of the draft at this point?
> Spaf suggested moving away from referring to ourselves as "experts"
> and instead using "professionals" or related terms.  I agree with
> this, and another Board member suggested a similar modification in a
> private email.
> I agree with David LeBlanc that we shouldn't specifically mention
> "young security enthusiasts who behave unethically" - but on the other
> hand, it's the free exchange of information that helps talented but
> inexperienced people to learn and make contributions of their own.
> (For example, how many high-quality posters to *Bugtraq with unknown
> hat colors have been snapped up by security companies?)  So I think we
> need to address this *somehow*, because some "young enthusiasts" with
> white hats may not be recognized as professionals.
> I suggest that we not mention funding at all.
> I also agree with others that we shouldn't mention Stackguard.
> - Steve

Stuart Staniford  ---  President  ---  Silicon Defense
(707) 445-4355                     (707) 445-4222 (FAX)

Page Last Updated or Reviewed: May 22, 2007